Text Widget

Download

25 January 2012

This morning Websense® ThreatSeeker® Network alerted us that if a user enters the term "Download Chrome" in Google Search, the 36th result would result in potentially malicious content being downloaded to the user's machine.

I'll briefly describe the attack vector in which the content is sent to the user.

Web Search

Search for "Download Chrome":

The 36th result leads to a compromised, unofficial Google Chrome plugin Web page:

Compromised Web site
The 36th result leads to to this website:

The above site:

is a legitimate, unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised.

One indicator that this is a compromised site, as opposed to a site set up for strictly malicious purposes, is that the whois registration information, which helps indicate the reputation, is registered in 2008. The registration details also seem to indicate that real information was provided. Again, this isn't a 100%, foolproof indication that the site was compromised, but it does help as circumstantial evidence.

Redirection

Looking at the source code of this Web page, we see that the page redirects the user's browser to two malicious Web sites:
1) pagead2.googlesyndlcation.com/pagead/show_ads.js (via JavaScript include - this is a Google AdSense typo-squatted URL!)

This redirection diagram shows the content the user is served by visiting the Chrome Plugin forum Web page. All this content is served to the user without the user having to click on anything at all (except for the link from Google search):

Google AdSense Typo-Squatted URL
The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly not a site owned by Google Inc.

Notice the details:

The real Google hosting server for show_ads.js is pagead2.googlesyndication.com (notice the letter "l" changed out for the letter "i" in the word "syndication").

I have archived a copy of the fake show_ads.js here in case you wish to research the compromised site a bit further.